Basic Authentication

When using basic authentication with our API, you provide a username, client code, and password each time you make a request. Once we validate those credentials, you’ll have met the authentication requirement for authorizing your requests.


The username, client code, and password are sent as a Base64-encoded string within the Authorization header of the request. The decoded string must be in this format:



Client code?

The basic authentication standard doesn't have a concept of a "client code." When you send us your client code, you're really sending it as part of a "username" with this format: [login name]@[client code].

Keep this in mind if you're making requests through our API explorer or another tool that asks for a separate username and password.


Production or Sandbox?

Be sure you know where any calls you run are hitting. If your production environment is and you run a DELETE with loginname@CompanyA in the explorer or your own API client, you will be running this delete on production data.

If you need a generic sandbox setup or your own custom sandbox environment for testing, see the Sandbox section under "Portal Documentation"


Some tools will take a username and password, and then automatically create an encoded Authorization header for you:

curl /
-u "user123@testclient:mypassword"

With others, you may have to create the header yourself:

import requests

url = ""
headers = {
    'authorization': "Basic dXNlcjEyM0B0ZXN0Y2xpZW50Om15cGFzc3dvcmQ="

response = requests.request("GET", url, headers=headers)

What’s Next